##############################
# General configuration for pf
##############################
set hostid 0x3915791e
set state-policy if-bound
set limit table-entries 400000
set optimization normal
set limit states 401000
set limit src-nodes 401000

##############################
# Aliases used by the firewall
##############################
# System-defined aliases for interfaces
loopback = "{ lo0 }"
WAN = "{ em0 }"
table <WAN__NETWORK> persist { 192.168.254.0/24 192.168.254.33/32 192.168.254.34/32 }
WAN__NETWORK = "<WAN__NETWORK>"
VTI = "{ ipsec1 }"
table <LAN__NETWORK> persist { 10.15.0.0/30 }
LAN__NETWORK = "<LAN__NETWORK>"
IPsec = "{ enc0 }"
table <ENC0__NETWORK> persist {  }
ENC0__NETWORK = "<ENC0__NETWORK>"
WireGuard = "{ WireGuard }"
table <WIREGUARD__NETWORK> persist {  }
WIREGUARD__NETWORK = "<WIREGUARD__NETWORK>"

# System-defined aliases available to the user
table <bogons> persist file "/etc/bogons"
bogons = "<bogons>"
table <bogons> persist file "/etc/bogons"
bogons = "<bogons>"
#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
_nexus_vpn_port_ = "{  }"
table <vpn_networks> { 10.15.0.1/32 }
table <negate_networks> { 10.15.0.1/32 }
table <_loopback4_> {   127.0.0.0/8 }
_loopback4_ = "<_loopback4_>"
table <_loopback6_> {   ::1/128 }
_loopback6_ = "<_loopback6_>"
table <_loopback46_> {    127.0.0.0/8   ::1/128 }
_loopback46_ = "<_loopback46_>"
table <_linklocal4_> {   169.254.0.0/16 }
_linklocal4_ = "<_linklocal4_>"
table <_linklocal6_> {   fe80::/10 }
_linklocal6_ = "<_linklocal6_>"
table <_linklocal46_> {    169.254.0.0/16   fe80::/10 }
_linklocal46_ = "<_linklocal46_>"
table <_private4_> {   10.0.0.0/8  172.16.0.0/12  192.168.0.0/16 }
_private4_ = "<_private4_>"
table <_private6_> {   fc00::/7 }
_private6_ = "<_private6_>"
table <_private46_> {    10.0.0.0/8  172.16.0.0/12  192.168.0.0/16   fc00::/7 }
_private46_ = "<_private46_>"
table <_multicast4_> {   224.0.0.0/4 }
_multicast4_ = "<_multicast4_>"
table <_multicast6_> {   ff00::/8 }
_multicast6_ = "<_multicast6_>"
table <_multicast46_> {    224.0.0.0/4   ff00::/8 }
_multicast46_ = "<_multicast46_>"
table <_reserved4_> {   0.0.0.0/8  10.0.0.0/8  100.64.0.0/10  127.0.0.0/8  169.254.0.0/16  172.16.0.0/12  192.0.0.0/24  192.0.2.0/24  192.88.99.0/24  192.168.0.0/16  198.18.0.0/15  198.51.100.0/24  203.0.113.0/24  224.0.0.0/4  240.0.0.0/4  255.255.255.255/32 }
_reserved4_ = "<_reserved4_>"
table <_reserved6_> {   ::1/128  ::/128  ::ffff:0:0/96  64:ff9b::/96  64:ff9b:1::/48  100::/64  2001::/23  2001:2::/48  2001:db8::/32  2002::/16  3fff::/20  5f00::/16  fc00::/7  fe80::/10  ff00::/8 }
_reserved6_ = "<_reserved6_>"
table <_reserved46_> {    0.0.0.0/8  10.0.0.0/8  100.64.0.0/10  127.0.0.0/8  169.254.0.0/16  172.16.0.0/12  192.0.0.0/24  192.0.2.0/24  192.88.99.0/24  192.168.0.0/16  198.18.0.0/15  198.51.100.0/24  203.0.113.0/24  224.0.0.0/4  240.0.0.0/4  255.255.255.255/32   ::1/128  ::/128  ::ffff:0:0/96  64:ff9b::/96  64:ff9b:1::/48  100::/64  2001::/23  2001:2::/48  2001:db8::/32  2002::/16  3fff::/20  5f00::/16  fc00::/7  fe80::/10  ff00::/8 }
_reserved46_ = "<_reserved46_>"
table <_nat64reserved_> {   64:ff9b::0/104  64:ff9b::a00:0/104  64:ff9b::6440:0/106  64:ff9b::7f00:0/104  64:ff9b::a9fe:0/112  64:ff9b::ac10:0/108  64:ff9b::c000:0/120  64:ff9b::c000:200/120  64:ff9b::c058:6300/120  64:ff9b::c0a8:0/112  64:ff9b::c612:0/111  64:ff9b::c633:6400/120  64:ff9b::cb00:7100/120  64:ff9b::e000:0/100  64:ff9b::f000:0/100  64:ff9b::ffff:ffff/128 }
_nat64reserved_ = "<_nat64reserved_>"

# User-defined aliases
table <test_alias_dst_route> {   192.168.33.0/24 }
test_alias_dst_route = "<test_alias_dst_route>"

# System gateways
GWWAN_DHCP = " route-to ( em0 192.168.254.10 ) "
GWWAN_DHCP6 = "  "
GWVTI_VTIV4 = " route-to ( ipsec1 10.15.0.1 ) "

##########################################
# Interfaces used with pf stats collection
##########################################
set loginterface ipsec1

#################################
# Interfaces without pf filtering
#################################
set skip on pfsync0

############################################
# Preserve rule counters across rule updates
############################################
set keepcounters

##########################################
# Required rules for traffic normalization
##########################################
scrub from any to <vpn_networks>   fragment no reassemble
scrub from <vpn_networks> to any   fragment no reassemble
scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble
scrub on $VTI inet all    fragment reassemble
scrub on $VTI inet6 all    fragment reassemble

#######################################
# Rules for Network Address Translation
#######################################
no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules (manual)
nat on $WAN inet from 127.0.0.0/8 to any port 500 -> 192.168.254.25/32  static-port # Auto created rule for ISAKMP - localhost to WAN
nat on $WAN inet from 127.0.0.0/8 to any -> 192.168.254.25/32 port 1024:65535  # Auto created rule - localhost to WAN
nat on $WAN inet6 from ::1/128 to any port 500 -> (em0)  static-port # Auto created rule for ISAKMP - localhost to WAN
nat on $WAN inet6 from ::1/128 to any -> (em0) port 1024:65535  # Auto created rule - localhost to WAN
nat on $WAN inet from 192.168.33.0/24 to any port 500 -> 192.168.254.25/32  static-port # Auto created rule for ISAKMP - static route to WAN
nat on $WAN inet from 192.168.33.0/24 to any -> 192.168.254.25/32 port 1024:65535  # Auto created rule - static route to WAN
nat on $WAN inet from 192.168.253.0/24 to any port 500 -> 192.168.254.25/32  static-port # Auto created rule for ISAKMP - OPT1 to WAN
nat on $WAN inet from 192.168.253.0/24 to any -> 192.168.254.25/32 port 1024:65535  # Auto created rule - OPT1 to WAN
nat on $WAN inet from 10.15.0.1 to any port 500 -> 192.168.254.25/32  static-port # Auto created rule for ISAKMP - IPsec VTI:  to WAN
nat on $WAN inet from 10.15.0.1 to any -> 192.168.254.25/32 port 1024:65535  # Auto created rule - IPsec VTI:  to WAN

# NAT rules for the TFTP Proxy service
rdr-anchor "tftp-proxy/*"

#################################
# Extra rules from OpenVPN RADIUS
#################################
anchor "openvpn/*"

###############################
# Extra rules from IPsec RADIUS
###############################
anchor "ipsec/*"

#################################
# Rules to block all IPv6 packets
#################################
# Allow IPv6 on loopback
pass in  quick on $loopback inet6 all ridentifier 1000000001 label "descr=pass IPv6 loopback"
pass out  quick on $loopback inet6 all ridentifier 1000000002 label "descr=pass IPv6 loopback"
# Block all IPv6
block in log quick inet6 all ridentifier 1000000003 label "descr=Block all IPv6"
block out log quick inet6 all ridentifier 1000000004 label "descr=Block all IPv6"

################################################################
# Rules to block NAT64 translation for non-global IPv4 addresses
################################################################
block in log quick inet6 from any to <_nat64reserved_> ridentifier 1000000005 label "descr=Block NAT64 for non-global IPv4"
block out log quick inet6 from any to <_nat64reserved_> ridentifier 1000000006 label "descr=Block NAT64 for non-global IPv4"

########################################
# Rules to block IPv4 link-local packets
########################################
# Block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by
# a routing device, and clients "MUST NOT" send such packets to a router.
# FreeBSD won't route 169.254./16, but route-to can override that, causing
# problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "descr=Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "descr=Block IPv4 link-local"

#####################################################
# Required rules for the default-deny filter behavior
#####################################################
block in log inet all ridentifier 1000000103 label "descr=Default deny rule IPv4" label "tags=ruleset:e85581c4c9f01147"
block out log inet all ridentifier 1000000104 label "descr=Default deny rule IPv4" label "tags=ruleset:e85581c4c9f01147"
block in log inet6 all ridentifier 1000000105 label "descr=Default deny rule IPv6" label "tags=ruleset:e85581c4c9f01147"
block out log inet6 all ridentifier 1000000106 label "descr=Default deny rule IPv6" label "tags=ruleset:e85581c4c9f01147"

#########################################
# Rules to drop invalid packets on port 0
#########################################
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "descr=Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "descr=Block traffic to port 0"

################################################
# Rules to block packets matched by IDS packages
################################################
block log quick from <snort2c> to any ridentifier 1000000109 label "descr=Block snort2c hosts"
block log quick from any to <snort2c> ridentifier 1000000110 label "descr=Block snort2c hosts"

#######################################
# Required rules for CARP functionality
#######################################
# CARP rules
block in log quick proto carp from (self) to any ridentifier 1000000201 label "descr=CARP operation"
pass  quick proto carp no state ridentifier 1000000202 label "descr=CARP operation"

#######################################################
# Rules for blocklisted hosts accessing the SSH service
#######################################################
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "descr=sshguard"

##################################################
# Rules for blocklisted hosts accessing the WebGUI
##################################################
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "descr=GUI Lockout"

#######################################################
# Rules to block packets matched by anti-virus packages
#######################################################
block in log quick from <virusprot> to any ridentifier 1000000400 label "descr=virusprot overload table"

#################################################
# Rules to prevent DHCP leaks in multi-WAN setups
#################################################
block out quick proto udp from any port = 67 to any port = 68 tagged "dhcpin" ridentifier 1000000451 label "descr=Prevent routing dhcp responses"

#########################
# Default interface rules
#########################
# allow our DHCP client out to the WAN
pass in  quick on $WAN proto udp from any port = 67 to any port = 68 tag "dhcpin" no state ridentifier 1000000461 label "descr=allow dhcp replies in WAN"
pass out  quick on $WAN proto udp from any port = 68 to any port = 67 no state ridentifier 1000000462 label "descr=allow dhcp client out WAN" 
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.

# Required rules for antispoof protection
antispoof log for $WAN ridentifier 1000001471 label "descr=antispoof protection"

# Required rules for antispoof protection
antispoof log for $VTI ridentifier 1000002521 label "descr=antispoof protection"

#####################################
# Required rules for loopback traffic
#####################################
pass in  on $loopback inet all ridentifier 1000004661 label "descr=pass IPv4 loopback"
pass out  on $loopback inet all ridentifier 1000004662 label "descr=pass IPv4 loopback"

##########################################################
# Required rules for traffic from the firewall host itself
##########################################################
pass out  inet all keep state allow-opts ridentifier 1000004663 label "descr=let out anything IPv4 from firewall host itself"
pass out  route-to ( em0 192.168.254.10 ) from 192.168.254.25 to !192.168.254.0/24 ridentifier 1000004761 keep state allow-opts  label "descr=let out anything from firewall host itself"
pass out  route-to ( em0 192.168.254.10 ) from 192.168.254.33 to !192.168.254.0/24 ridentifier 1000004762 keep state allow-opts  label "descr=let out anything from firewall host itself"
pass out  route-to ( em0 192.168.254.10 ) from 192.168.254.34 to !192.168.254.0/24 ridentifier 1000004763 keep state allow-opts  label "descr=let out anything from firewall host itself"
pass out   from 10.15.0.2 to !10.15.0.0/30 ridentifier 1000004764 keep state allow-opts  label "descr=let out anything from firewall host itself"

############################################
# Required rules for IPsec host connectivity
############################################
pass out  on $IPsec all ridentifier 1000005061 ridentifier 1000005062 keep state (floating) label "descr=IPsec internal host to host"
pass out  on ipsec1 all ridentifier 1000005063 keep state (floating) label "descr=IPsec VTI floating states"

#######################################################
# Rules to prevent accidental lockout from the firewall
#######################################################
pass in  quick on ipsec1 proto tcp from any to (ipsec1) port { 443 80 } ridentifier 10001 keep state label "descr=anti-lockout rule"

#######################
# Anchor for user rules
#######################
anchor "userrules/*"

#####################################
# Interface rules defined by the user
#####################################
# Rules for WAN
pass  in  quick  on $WAN reply-to ( em0 192.168.254.10 ) inet from any to any ridentifier 1778676401 keep state label "id=1778676401" label "tags=user_rule"

# Rules for VTI
pass  in  quick  on $VTI reply-to ( ipsec1 10.15.0.1 ) inet from $LAN__NETWORK to any ridentifier 0100000101 keep state label "id=0100000101" label "tags=user_rule" label "descr=Default allow LAN to any rule"
pass  in  quick  on $VTI inet6 from $LAN__NETWORK to any ridentifier 0100000102 keep state label "id=0100000102" label "tags=user_rule" label "descr=Default allow LAN IPv6 to any rule"

# array key "opt1" does not exist for "" in array: {WAN VTI IPsec WireGuard }

#############################
# Rules for the IPsec service
#############################
pass out    proto udp from (self) to 192.168.254.21 port = 500 ridentifier 1000105201 keep state  label "descr=IPsec: 192.168.254.21 - outbound isakmp"
pass in  on $WAN   proto udp from 192.168.254.21 to (self) port = 500 ridentifier 1000105202 keep state label "descr=IPsec: 192.168.254.21 - inbound isakmp"
pass out    proto udp from (self) to 192.168.254.21 port = 4500 ridentifier 1000105203 keep state  label "descr=IPsec: 192.168.254.21 - outbound nat-t"
pass in  on $WAN   proto udp from 192.168.254.21 to (self) port = 4500 ridentifier 1000105204 keep state label "descr=IPsec: 192.168.254.21 - inbound nat-t"
pass out    proto esp from (self) to 192.168.254.21 ridentifier 1000105205 keep state  label "descr=IPsec: 192.168.254.21 - outbound esp proto"
pass in  on $WAN   proto esp from 192.168.254.21 to (self) ridentifier 1000105206 keep state label "descr=IPsec: 192.168.254.21 - inbound esp proto"

##################################
# Rules for the TFTP Proxy service
##################################
anchor "tftp-proxy/*"
